WPA2-Enterprise and 802.1X Simplified

September 19, 2019Adam

Simplifying WPA2-Enterprise and 802.1X

WPA2-Enterprise has been around since 2004 and is still considered the gold standard for wireless network security, delivering over-the-air encryption and a high level of security. In conjunction with the effective authentication method known as 802.1X, users have been successfully authorized for secure network access for many years. But in that time, WPA2-Enterprise hasn’t gotten any easier to manually configure. Regardless of whether you are deploying a wireless network for the first time or a seasoned expert, there are always unique challenges ready to give you a headache. Luckily, tried and true networking solutions are available to that seek to correct the network difficulties you experience.

WPA2-PSK and WPA2-Enterprise: What’s the Difference?

WPA2-PSK

WPA2-PSK (Pre-Shared Key) requires a single password to get on the wireless network. It’s generally accepted that a single password to access Wi-Fi is safe, but only as much as you trust those using it. Otherwise, it’s trivial for someone whose obtained the password through nefarious means to infiltrate the network. This is why WPA2-PSK is often considered insecure.

There are only a few situations in which WPA2-PSK should be deployed:

The network has just a few devices, all of which are trusted. This could be a home or small office.

As a way to restrict casual users from joining an open network when unable to deploy a captive portal. This could be a coffee shop or guest network.

As an alternative network for devices not compatible with 802.1X. An example being game consoles in a student dorm.

WPA3-PSK

To improve the effectiveness of PSK, updates to WPA3-PSK offer greater protection by improving the authentication process. A strategy to do this uses Simultaneous Authentication of Equals (SAE) to make brute-force dictionary attacks far more difficult for a hacker. This protocol requires interaction from the user on each authentication attempt, causing a significant slowdown for those attempting to brute-force through the authentication process.

WPA2-Enterprise

Deploying WPA2-Enterprise requires a RADIUS server, which handles the task of authenticating network users access. The actual authentication process is based on the 802.1X policy and comes in several different systems labelled EAP. Because each device is authenticated before it connects, a personal, encrypted tunnel is effectively created between the device and the network.

WPA3-Enterprise

A significant improvement that WPA3-Enterprise offers is a requirement for server certificate validation to be configured to confirm the identity of the server to which the device is connecting.

Interested in learning more about WPA3? Get the details about the changes WPA3 is poised to bring in this article.

Deploying WPA2-Enterprise and 802.1X

There are just a few components that are needed to make 802.1X work. Realistically, if you already have access points and some spare server space, you possess all the hardware needed to make secure wireless happen. Sometimes you don’t even need the server: some access points come with built-in software that can operate 802.1X (though only for the smallest of small deployments). Regardless of whether you purchase professional solutions or build one yourself from open source tools, the quality and ease of 802.1X is entirely a design aspect.

The Components of 802.1X

Client / Supplicant

In order for a device to participate in the 802.1X authentication, it must have a piece of software called a supplicant installed in the network stack. The supplicant is necessary as it will participate in the initial negotiation of the EAP transaction with the switch or controller and package up the user credentials in a manner compliant with 802.1X. If a client does not have a supplicant, the EAP frames sent from the switch or controller will be ignored and the switch will not be able to authenticate.

Fortunately, almost all devices we might expect to connect to a wireless network have a supplicant built-in. SecureW2 provides a 802.1X supplicant for devices that don’t have one natively.

Thankfully, the vast majority of device manufacturers have built-in support for 802.1X. The most common exceptions to this might be consumer gear, such as game consoles, entertainment devices or some printers. Generally speaking, these devices should be less than 10% of the devices on your network and are best treated as the exception rather than the focus.

Switch / Access Point / Controller

The switch or wireless controller plays an important role in the 802.1X transaction by acting as a ‘broker’ in the exchange. Until a successful authentication, the client does not have network connectivity, and the only communication is between the client and the switch in the 802.1X exchange. The switch/controller initiates the exchange by sending an EAPOL-Start packet to the client when the client connects to the network. The client’s responses are forwarded to the correct RADIUS server based on the configuration in the Wireless Security Settings. When the authentication is complete, the switch/controller makes a decision whether to authorize the device for network access based on the user’s status and possibly the attributes contained in the Access_Accept packet sent from the RADIUS server.

If the RADIUS server sends an Access_Accept packet as a result of an authentication, it may contain certain attributes which provide the switch information on how to connect the device on the network. Common attributes will specify which VLAN to assign a user, or possibly a set of ACLs (Access Control List) the user should be given once connected. This is commonly called ‘User Based Policy Assignment’, as the RADIUS server is making the decision based on user credentials. Common use cases would be to push guest users to a ‘Guest VLAN’ and employees to an ‘Employee VLAN’.

RADIUS Server

The RADIUS server acts as the “security guard” of the network; as users connect to the network, the RADIUS authenticates their identity and authorizes them for network use. A user becomes authorized for network access after enrolling for a certificate from the PKI (Private Key Infrastructure) or confirming their credentials. Each time the user connects, the RADIUS confirms they have the correct certificate or credentials and prevents any unapproved users from accessing the network. A key security mechanism to employ when using a RADIUS is server certificate validation. This guarantees that the user only connects to the network they intend to by configuring their device to confirm the identity of the RADIUS by checking the server certificate. If the certificate is not the one which the device is looking for, it will not send a certificate or credentials for authentication.

RADIUS servers can also be used to authenticate users from a different organization. Solutions like Eduroam have RADIUS servers work as proxies (such as RADSEC) so that if a student visits a neighboring university, the RADIUS server can authenticate their status at their home university and grant them secure network access at the university they are currently visiting.

Identity Store

The Identity Store refers to the entity in which usernames and passwords are stored. In most cases, this is Active Directory, or potentially an LDAP server. Almost any RADIUS server can connect to your AD or LDAP to validate users. There are a few caveats when LDAP is used, specifically around how the passwords are hashed in the LDAP server. If your passwords are not stored in cleartext or an NTLM hash, you will need to choose your EAP methods carefully as certain methods, such as EAP-PEAP, may not be compatible. This is not an issue caused by RADIUS servers, but rather from the password hash.

SecureW2 can help you set up SAML to authenticate users, on any Identity Provider, for Wi-Fi access. Here are guides to integrating with some popular products.

Developing a robust WPA2-Enterprise network requires additional tasks, like setting up a PKI or CA (Certificate Authority), to seamlessly distribute certificates to users. But contrary to what you might think, you can make any of these upgrades without buying new hardware or making changes to the infrastructure. For example, rolling out guest access or changing the authentication method can be accomplished without additional infrastructure. Recently, many institutions have been switching EAP methods from PEAP to EAP-TLS after seeing noticeable improvement in connection time and roaming ability. Improving the functionality of wireless networks can be gained without changing a single piece of hardware.

WPA2-Enterprise Protocols

What follows is a brief summary of the primary WPA2-Enterprise Authentication Protocols. If you’d like a more in-depth compare-and-contrast, read the full-length article.

EAP-TLS

EAP-TLS is a certificate-based protocol that is is widely considered one of the most secure EAP standards because it eliminates the risk of over-the-air credential theft. It’s also the protocol that provides the best user experience, as it eliminates password-related disconnects due to password-change policies. In the past, there was a misconception that certificate-based authentication was difficult to setup and/or manage, but now EAP-TLS is regarded by many to actually be easier to setup and manage than the other protocols.
Want to learn more about the advantages of EAP-TLS and how SecureW2 can help your implement it in your own network? Click the link!

EAP-TTLS/PAP

EAP-TTLS/PAP is a credential-based protocol that was created for an easier setup because it only requires the server to be authenticated, while user authentication is optional. TTLS creates a “tunnel” between the client and the server and gives you multiple choices for authentication.

But TTLS includes many vulnerabilities. The configuration process can be difficult for inexperienced network users, and a single misconfigured device can result in significant loss to the organization. The protocol allows credentials to be sent over the air in Cleartext, which can be vulnerable to cyber attacks like Man-In-The-Middle and easily repurposed to accomplish the hacker’s goals.

PEAP-MSCHAPv2

PEAP-MSCHAPv2 is a credential-based protocol that was designed by Microsoft for Active Directory environments. Although it’s one of the most popular methods for WPA2-Enterprise authentication, PEAP-MSCHAPv2 does not require the configuration of server-certificate validation, leaving devices vulnerable to Over-the-Air credential theft. Device misconfiguration, when left to end users, is relatively common which is why most organizations rely on Onboarding Software to configure devices for PEAP-MSCHAPv2. Read how College of William & Mary converted from PEAP-MSCHAPv2 to EAP-TLS authentication to provide more stable authentication to network users.For more information on PEAP MSCHAPv2, read this article.

802.1X Authentication Methods

Before users can be authenticated for network access day-to-day, they must be onboarded to the secure network. Onboarding is the process of reviewing and approving users so they can connect to the secure network using a form of identification, such as username/password or certificates. This process often becomes a significant burden because it requires users to get their devices configured for the network. For regular network users, the process can prove to be too difficult because it requires high level IT knowledge to understand the steps. For example, universities at the beginning of an academic year experience this when onboarding hundreds or even thousands of student’s devices and results in long lines of support tickets. Onboarding clients offer an easy-to-use alternative that enables end users to easily self-configure their devices in a few steps, saving users and IT admins a ton of time and money.

Password-Based Authentication

The vast majority of authentication methods rely on a username/password. It’s the easiest to deploy since most institutions already have some sort of credentials set up, but the network is susceptible to all of the problems of passwords without an onboarding system (see below).

For password-based authentication, there are basically 2 options: PEAP-MSCHAPv2 and EAP-TTLS/PAP. They both function similarly, but TTLS is not supported by any Microsoft OS before Windows 8 without using a third party 802.1X supplicant, such as our Enterprise Client. At this point, most institutions have deployed or made the switch to PEAP. However, you can’t deploy PEAP without either using Active Directory (a proprietary Microsoft service) or leaving your passwords unencrypted.

Token-Based Authentication

Historically, tokens were physical devices in the form of key fobs or dongles that would be distributed to users. They generated numbers in sync with a server to add additional validation to a connection. Even though you can carry them around and utilize advanced features like fingerprint scanners or as USB plug-ins, dongles do have downsides. They can be expensive and are known to occasionally lose connection to the servers.

Physical tokens are still in use, but their popularity is waning as smartphones have made them redundant. What was once loaded onto a fob you can now put into an app. In addition, there are other methods for two-factor authentication outside of the EAP method itself, such as text or email confirmations to validate a device.

Certificate-Based Authentication

Certificates have long been a mainstay of authentication in general, but are not typically deployed in BYOD settings since certificates require users to install them on their own devices. However, once a certificate is installed, they are amazingly convenient: they are not affected by password change policies, are far safer than usernames/passwords, and devices are authenticated faster.

SecureW2’s PKI services, combined with the JoinNow onboarding client, create a turnkey solution for certificate-based Wi-Fi authentication. An effective PKI provides all the necessary infrastructure to implement a certificate-based network and maintains the security and distribution of all network certificates.. Organizations can now seamlessly distribute certificates to devices and manage them with ease using our powerful certificate management features.

WPA2-Enterprise Challenges

In our experience, we’ve found that the average WPA2-Enterprise network suffers from a combination of these 4 problems:

Drawback #1: Device variation

When IEEE created the 802.1X protocol in 2001, there were few devices that could use wireless access and network management was much simpler. Since then, the number of device manufacturers has exploded with the rise of mobile computing. To give some perspective, there are more flavors of Android today than there were entire operating systems in 2001.

Support for 802.1X is inconsistent across devices, even between devices of the same OS. Each device has unique characteristics that can make them behave unpredictably. This problem is made worse by unique drivers and software installed on the device.

Drawback #2: MITM and delivering certificates

While WPA2 offers a very secure connection, you also have to be sure that the users will only connect to the secure network. A secure connection is meaningless if the user unknowingly connected to a honeypot or imposter signal. Institutions often sweep for and detect rogue access points, including Man-in-the-Middle attacks, but users can still be vulnerable off-site. A person with a laptop can attempt to quietly gather user credentials at a bus stop, coffee shop, or anywhere devices might pass through and try to auto-connect.

Drawback #3: The Password change problem

Networks with passwords that expire on a regular basis face an additional burden with WPA2-Enterprise. Each device will lose connectivity until reconfigured. This was less of an issue when the average user had only one device, but in today’s BYOD environment, each user is likely to have multiple devices that all require a secure network connection. Depending on how password changes are enacted or the users’ abilities to manage passwords, this can be a burden on helpdesks.

It’s even worse on networks that have unexpected password changes due to data breaches or security vulnerabilities. In addition to having to roll out new credentials site-wide, IT has to deal with an influx of helpdesk tickets related to Wi-Fi.

Drawback #4: Changing user expectation

By far the most difficult part of completing a WPA2-Enterprise network setup is training the users. Users today have incredibly high expectations for ease of use. They also have more options than ever to work around official access. If the network is too hard to use, they’ll use data. If the certificate is bad, they will ignore it. If they can’t access something they want, they will use a proxy.

For WPA2-Enterprise to be effective, you need to make it as easy as possible for network users to navigate without sacrificing security.

Before you get started on your WPA2-Enterprise network, check out our primer on the most common mistakes people make when setting up WPA2-Enterprise.

Simplifying WPA2-Enterprise with JoinNow

A properly configured WPA2-Enterprise network utilizing 802.1X authentication is a powerful tool for protecting the safety of network users and securing valuable data; but by no means is this the end of network considerations you need to make. Many components contribute to the security and usability of the network as a complete system. If just the authentication method is secure while the configuration of managed devices is left to the average network user, there is a serious risk to the integrity of the network. SecureW2 recognizes that every facet of the wireless network must work in unison for iron-clad security, so we’ve provided some turnkey concepts that every network administrator needs to consider in their network planning.

Efficiency Through Onboarding

One of the greatest challenges for network administrators is efficiently and accurately onboarding users to the secure network. If left to their own devices, many users will misconfigure. Configuring for a WPA2-Enterprise network with 802.1X authentication is not a simple process and involves several steps that a person unfamiliar with IT concepts would not understand. If users are not connecting to the secure SSID and are not properly set up for WPA2-Enterprise, the security benefits admins expect will be lost. For those that want the advantages that come with certificate-based networks, many opt to deploy an onboarding client that will automatically configure users devices.

Onboarding clients, such as those offered by SecureW2, eliminate the confusion for users by prompting them with only a few, simple steps designed to be completed by K-12 age students and up. The result is a properly configured WPA2-Enterprise network with 802.1X authentication that has successfully onboarded all network users to the secure network.

Want more info on the advantages of a streamlined and secure Bring Your Own Device (BYOD) Onboarding software? Check out this informative piece on onboarding!

Certificate-Hardened WPA2-Enterprise

A PKI enables organizations to use x.509 certificates and distribute them to network users. It consists of an HSM (Hardware Security Module), CAs, client, public and private keys, and a CRL (Certificate Revocation List). An effective PKI significantly bolsters network security, allowing organizations to eliminate password-related issues with certificate-based authentication. Once the PKI is configured, network users can begin enrolling for certificates. This is a challenging task to complete, but organizations that have used an onboarding client have had the most success distributing certificates. SecureW2 is able to provide all the tools needed for a successful PKI deployment and efficient distribution of certificates. After equipping their devices with a certificate, users are ready to be authenticated for the wireless network. Beyond secure wireless authentication, certificates can be used for VPN, Web application authentication, SSL Inspection security, and much more.

WPA2-Enterprise Managed Device Configuration

Enterprises with managed devices often lack a unified method of getting devices configured for certificate-driven security. Allowing users to self-configure often results in many misconfigured devices, and leaving the task to IT can be mountainous. Configuring dozens, or sometimes even hundreds, of devices manually for a secure WPA2-Enterprise network is often considered too labor-intensive to be worthwhile. SecureW2’s advanced SCEP and WSTEP gateways provide a means to auto-enroll managed devices with no end user interaction. In one fell swoop, these gateways allow an IT department to configure managed devices from any major vendor for certificate-driven network security.

RADIUS Servers and Policy Driven Access Control

The RADIUS server plays a critical role in the network, authenticating every device when they connect to the network. SecureW2’s JoinNow solution comes built-in with a world-class RADIUS server, providing powerful, policy-driven 802.1X authentication. Backed by AWS, it delivers high availability, consistent and quality connections, and requires no physical installation. The server can be easily configured and customized to fit any organizations’ requirements, with no forklift upgrades of existing infrastructure required. Once fully integrated, the certificate-based network is ready to begin authenticating network users. With additives such as an industry-unique Identity Lookup integration with Google Apps, your network can authenticate certificates faster and more accurately than credential-based networks. The keys to a successful RADIUS deployment are availability, consistency, and speed. SecureW2’s RADIUS equips organizations with the tools they need to make the secure network easy to connect to and always available so users are consistently protected from outside threats.